cancel
Showing results for 
Search instead for 
Did you mean: 

Network Connect w/ external DHCP server not working under 6.4r2

stine_
Super Contributor

Network Connect w/ external DHCP server not working under 6.4r2

I am trying to configure my IVE to use an external DHCP server instead of using internal pools. I continue to recevie the following error:

NWC23466 2009-08-22 17:26:06 - ive - [172.16.255.2] tvaniderstine(testing)[testing] - Network Connect: IP address cannot be allocated to user tvaniderstine. Solution: Check IP Address Pools / DHCP server state.

Here is what I have:

system: sa-2000 version 6.4R2

Realm: testing

Role: testing

NC Access policy:

Name: testing policy
Description: for testing only
Resources: 192.168.0.0/16:*

* Policy Applies to sected roles

Selected roles: testing

Action: Allow access

NC Connction Profile:

Name: testing connection profile
Description: for testing only
IP address assignment
* DHCP servers
192.168.0.1
Connection Settings
Transport: ESP
UDP port: 4500
ESP to NCP fallback timeout: 15
Key lifetime (time): 60
Key lifetime (bytes): 0
Replay Protection: (yes)
Compression: (no)
Encryption: AES256/SHA1

DNS Settings
DNS Settings: IVE DNS Settings
DNS search order: Search client DNS first, then the device

Proxy Server Settings
No proxy server

Roles
Policy applies to SELECTED roles
Selected roles: testing

NC Split Tunnelling Policy

Name: testing
Description: for testing only

Resources
Resources: 192.168.0.0/16

Roles
Policy applies to SELECTED roles
Selected roles: testing

Action Allow access

NC Bandwidth Management Policy:

None

I'm not sure what do to next, I have sniffed the DHCP traffic on the DHCP server and it looks correct. I have run TCP Dump on the IVE, and I see the DHCP request leave the IVE, and I see the reply arrive back from the DHCP server, but the NC client never receives it (or ignores it) so I keep getting the dreaded 23791 error.

I did read somewhere that this didn't function in previous releases, but I have not been able to find anything about 6.4. I have read through the Admin Guide, and every result that Google returned, and I'm still not sure why it doesn't work.

Not that it makes any difference, but I have tried Windows Server 2008 and CentOS 5.3 as DHCP servers, and my problem is the same.

Any pointers or hints would be appreciated.

Thanks.

5 REPLIES 5
firewall72_
Frequent Contributor

Re: Network Connect w/ external DHCP server not working under 6.4r2

Hi,

How is your IVE/SA deployed? Is it a one arm or two arm? What does your topology look like? DHCP is typically an easy process with the SA and Network Connect. The problems I've seen is when my clients deploy a one arm SA in the DMZ or the DHCP server is located on another subnet behind a L3 switch. In both cases you would need to configure an DHCP Relay (ScreenOS) or IP Helper (Cisco). Let me know.

-John

kenlars_
Super Contributor

Re: Network Connect w/ external DHCP server not working under 6.4r2

What IP address is your DHCP server returning? Is this within the networks allowed for NC in your network settings?

Are you using IVSs? If so, the subnet which contains the address must also be assigned to the IVS.

Ken

stine_
Super Contributor

Re: Network Connect w/ external DHCP server not working under 6.4r2

Johh, Ken:

My IVE is in one-arm mode, and not running IVS. The DHCP server and IVE are both on the same /24 network.

Here are the addresses that I'm using:

IVE internal interface 192.168.0.38/24 IVE Network Connect Server IP Address 192.168.0.87 dhcp server 192.168.0.1/24 dhcp scope 1 192.168.0.208/27 dhcp scope 2 192.168.0.128/27


Originally, The IVE NC server IP was 10.200.200.200, but changing it to 192.168.0.87 didn't make any difference that I could see.

Both of you indicate that you've been using DHCP for NC clients for some time. Can you tell me if the older (5.x or before) docs are more thorough? I'll be downloading them in case they are.

Thanks again.

stine_
Super Contributor

Re: Network Connect w/ external DHCP server not working under 6.4r2

Ok, I've gone back and read the NC config docs for 4.1-5.4, and from what I've read, the behavior that I am trying to create is only available via IVS license (which won't work on my SA-2000. I believe that the 'Network Connect Server IP Address' is used as the DHCP relay address so I think what I'm going to have to do is create a single DHCP scope (192.168.0.128/25) and use "Network Connect Access Policies" to restrict where clients can go as opposed to doing this in my firewall by having assigned different scopes to each realm/role. I can live with this. It just means that my firewall rules are going to have to be more permissive than I like, and the access control will have to be done in the IVE.

I still need help getting my DHCP configuration functional. I'm going to reconfigure my DHCP server/IVE as follows:

Network Connect Server IP Address 192.168.0.87

DHCP server 192.168.0.1 DHCP scope 192.168.0.128/25 dns1 192.168.0.84 dns2 192.168.0.85 gw 192.168.0.4 NC Access control policy group1-ac-profile resources 192.168.1.0/24 NC Access control policy group2-ac-profile resources 192.168.2.0/24 NC Conection profile group1-nc-profile DHCP server 192.168.0.1 NC Conection profile group2-nc-profile DHCP server 192.168.0.1 NC Split Tunneling policy group1-st-profile resource 192.168.0.0/16 NC Split Tunneling policy group2-st-profile resource 192.168.0.0/16

Again, thanks for the asstance.

stine_
Super Contributor

Re: Network Connect w/ external DHCP server not working under 6.4r2

Ok, that was so easy that it's embarassing. I want to thank you guys for pointing me in the right direction.